GitHub is investigating unauthorized access to their internal repositories

1. zizmor

   1 14 5,600 9.8 Rust

   Static analysis for GitHub Actions

   

   scary..

   harden your github actions!

   - Use Static analysis for GHA: https://github.com/zizmorcore/zizmor

   - set pnpm config set minimum-release-age 4320 # 3 days in minutes https://pnpm.io/supply-chain-security

   - add Socket Free Firewall when installing npm packages on CI https://docs.socket.dev/docs/socket-firewall-free#github-act...

2. SaaSHub

   www.saashub.com featured

   SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

   

3. Visual Studio Code

   2 3,319 186,159 10.0 TypeScript

   Visual Studio Code

   

   > I think one key detail is that all malicious extensions were masquerading as "themes". Creating a permission system would mitigate that, where a theme should only have permission to change visual attributes of VsCode.

   https://github.com/microsoft/vscode/issues/52116#issuecommen...

4. opensnitch

   3 231 13,725 9.4 Python

   OpenSnitch is a GNU/Linux interactive application firewall inspired by Little Snitch.

   

   the pop-ups fatigue is already an issue, and not an easy one to solve. Pretty much like SIEM/SOC alerts.

   > The trick is to infect a plugin that has a legitimate reason for accessing the internet or running certain commands, and then coming up with ways to abuse that to exfiltrate the data. Or exfiltrating via DNS queries, or some other vector that isn't so obvious as "allow TCP/UDP connections to the whole world".

   They'll get there, maybe. But the reality is that right now, everyone allows outbound requests blindly.

   Instead of speculating, I suggest to actually investigate current IOCs and common tactics of malicious npm/pip/plugins/VS extensions. Something like this:

   https://github.com/evilsocket/opensnitch/discussions/1119

   Or use OpenSnitch (or Lulu, Glasswire, ZoneAlarm anyone?:D etc) to actually analyze real VS malicious extensions or npm packages and see if it stops the exfiltration, and if not, suggest ways to improve it. For example:

   https://markdownpastebin.com/?id=9c294c75f09349d2977a4ccd250...

5. gisia

   4 6 150 9.7 Ruby

   Self-hosted personal DevOps platform — built by engineers, for engineers.

   

6. vscode-remote-release

   5 44 4,120 0.0 Dockerfile

   Visual Studio Code Remote Development: Open any folder in WSL, in a Docker container, or on a remote machine using SSH and take advantage of VS Code's full feature set.

   

   Kind of.

   A vscode workspace can trivially execute code on the machine that runs the server end of vscode. (This is how building works -- there is no sandbox unless the workspace config explicitly uses some kind of sandbox.) So the workspace can usually trivially elevate permissions to take over the vscode server, including installing extensions on it without asking you.

   In principle, there is a teeny tiny bit of isolation between the local and remote sides, so the remote side cannot trivially execute code on the local machine. But I recommend reading this rather long-standing ticket:

   https://github.com/microsoft/vscode-remote-release/issues/66...

7. nx-console

   6 15 1,410 9.7 TypeScript

   Nx Console is the user interface for Nx & Lerna.

   

   I found more details on how this particular attack worked:

   https://github.com/nrwl/nx-console/issues/3148

   So the extension basically rewrites files in `.github/workflows` and pushes them to GitHub, which then sends all the sensitive information to the attacker. It also attempts to plant a malware on the local machine, too.

   My impression is that it would be hard for an OS-level sandbox to stop this attack. The sandbox needs to determine whether if a git push originating from an IDE is malicious.

Suggest a related project